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Abstract 

Variable binding is a prevalent feature of the syntax and 
proof theory of many logical systems. In this paper, we de- 
fine a programming language that provides intrinsic sup- 
port for both representing and computing with binding. This 
language is extracted as the Curry-Howard interpretation 
of a focused sequent calculus with two kinds of implication, 
of opposite polarity. The representational arrow extends sys- 
tems of definitional reflection with a notion of scoped infer- 
ence rules, which are used to represent binding. On the 
other hand, the usual computational arrow classifies recur- 
sive functions defined by pattern-matching. Unlike many 
previous approaches, both kinds of implication are connec- 
tives in a single logic, which serves as a rich logical frame- 
work capable of representing inference rules that mix bind- 
ing and computation. 

1 Introduction 

A logical framework provides a set of reusable abstrac- 
tions that simplify the task of representing the syntax and 
semantics of logical systems, such as programming lan- 
guages and proof theories. For example, the LF logi- 
cal framework [17] permits facile representations of bind- 
ing and scope (a-equivalence, capture-avoiding substitu- 
tion) using the LF function space, a type which corre- 
sponds to logical implication. In this broad sense of the 
phrase, programming languages such as ML and Haskell 
are even more basic examples of logical frameworks, in 
that algebraic datatypes permit first-order representations 
of syntax and proofs. These languages' function spaces, 
which also correspond to logical implication, provide sup- 
port not for representing binding, but for computing with 
syntax and proofs by pattern-matching. In contrast, LF re- 
quires a separate layer such as Twelf [29] for computation, 
which means that it is impossible to embed computations 
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in LF representations — something easily achieved in ML or 
Haskell by defining a datatype with a function as a compo- 
nent. In a dependent programming language (e.g., Coq or 
Agda [10, 28]), embedding computations in data is espe- 
cially useful, since it gives the full strength of iterated in- 
ductive definitions in the style of Martin-Lof [23]. Because 
the same logical connective, implication, is used to repre- 
sent binding in LF, and to compute with binding in ordinary 
functional programming, it has proved difficult to integrate 
binding and computation in a single framework. 

On the other hand, one way of distinguishing different 
aspects of the "same" connective is through the logical no- 
tion of polarity [15]. For example, linear logic exposes two 
conjunctions of opposite polarity (positive ® and negative 
&), and likewise two disjunctions (positive © and negative 
> S > ). Operationally, polarity can be given an intuitive expla- 
nation in terms of pattern-matching [41]: values of posi- 
tive polarity can be eliminated by pattern-matching against 
their constructors, whereas values of negative polarity can 
be introduced by pattern-matching against their destructors. 
This is why, for example, in ordinary functional program- 
ming, functions can be defined by pattern-matching, but it is 
impossible to pattern-match against a function (except with 
a variable pattern) — implication is a negative connective. 

Our work began with the observation that, although vari- 
able binding behaves in some ways like ordinary impli- 
cation, it also seems to have positive polarity. For ex- 
ample, in Twelf, LF functions are analyzed by match- 
ing against higher-order patterns. Following this intuition, 
we define a logic that includes both a positive form of 
implication — used to represent binding — and ordinary neg- 
ative implication — used to compute with binding. This 
logic builds on definitional reflection [16, 35], which sup- 
poses a database of rules used for both building proofs of 
propositional atoms and for deriving consequences of atoms 
by "reflection" (i.e., by inverting the rules). Through the 
Curry-Howard interpretation, the rule database corresponds 
to a database of datatype constructors, which can be used 
both to build datatype values and to define functions by 
pattern-matching. The key novelty of our positive implica- 
tion is that it permits this database of rules to vary. Positive 



implication, written R => A, internalizes the act of hypoth- 
esizing a new rule: a proof of R => A is a proof of A under 
assumption of the inference rule R. A value of type R A 
has the form Xu.V, where u is a scoped datatype construc- 
tor. Such a value is deconstructed by pattern-matching with 
a higher-order pattern. We call this positive connective => 
the representational arrow, opposed to the negative connec- 
tive — >, the ordinary computational arrow. 

This approach to representing variable binding, which 
we call definitional variation, provides a more general the- 
ory of inference rules than LF, because rules can mix rep- 
resentational and computational functions. All rule systems 
representable in LF satisfy the structural properties of a hy- 
pothetical judgement (weakening, exchange, contraction, 
and substitution) because all LF rules are pure [4] — they 
place no constraints on the context in which they can be ap- 
plied. In contrast, computational functions can be used to 
define impure rules: for example, if a rule system includes 
a rule with premise P — > _L asserting the refutability of P, it 
will not be possible to weaken a derivation using this rule 
to a context including a proof of P. However, this failure 
of the structural properties is not problematic in our frame- 
work: First, the representational arrow is eliminated by pat- 
tern matching, not by application (modus ponens), so the 
framework itself requires no commitment to the structural 
properties. Second, using a notion of subordination [39], 
we can give general conditions under which the structural 
properties hold , and provide operations such as weakening 
and substitution "for free" when these conditions are satis- 
fied. In this sense our calculus maintains the practical ben- 
efits of the LF approach, where the structural properties are 
provided by the framework, while providing a more general 
theory of inference rules. 

Following Zeilberger [42], our computational arrow ad- 
mits a form of open-endedness [20]: computational func- 
tions in our type theory are represented abstractly by meta- 
level functions from patterns to expressions. This open- 
endedness has several practical benefits: (1) We can im- 
plement structural properties such as weakening and sub- 
stitution once as a datatype-generic program at the meta- 
level, reusing one implementation for a large class of rule 
systems. (2) We can realize meta-functions as programs in 
existing proof assistants, which permits us to reuse their pat- 
tern coverage checkers. (3) We can use our type theory as an 
interface for combining functions written in different proof 
assistants, using different implementations of binding, in a 
single program. 

The technical contributions of this paper are as follows: 
In Section 2, we present a focused sequent calculus with 
both implications — > and =>, as well as a suite of other con- 
nectives. We define the identity and cut-elimination proce- 
dures, and prove they are total under assumptions about the 
form of the rule database. We discuss some counterintuitive 



logical properties of =>, as well as a dual representational 
conjunction. In Section 3, we give a proof term assignment 
to the sequent calculus, yielding a functional programming 
language with an operational semantics given by cut elimi- 
nation. In Section 4, we show that our framework extends 
simply-typed LF and discuss datatype-generic implementa- 
tions of the structural properties. In Section 5, we illustrate 
programming in our type theory with an example that mixes 
binding and computation; more examples are available in 
our companion technical report [22]. 

2 Sequent Calculus 

When describing the sequent calculus in this section, 
we foreshadow the proof-term assignment given in Sec- 
tion 3, freely interchanging logical and type-theoretic termi- 
nology ("proposition" and "type", "implication" and "func- 
tion space", "logic" and "type theory", etc.). The logic we 
construct is polarized, meaning that we maintain a syntac- 
tic separation between positive and negative propositions, 
and its proofs are focalized in the sense of Andreoli [3]. 
Following Zeilberger [41], the focused sequent calculus is 
defined in two stages. First, the polarized connectives are 
defined by axiomatizing the structure of patterns. Positive 
connectives are defined by constructor patterns, and nega- 
tive connectives by destructor patterns. Second, there is a 
general focusing framework that is independent of the par- 
ticular connectives of the logic. 

For the sake of presentation, we begin by defining a fo- 
cused sequent calculus for polarized intuitionistic logic, in- 
cluding the simple structure of patterns and the general fo- 
cusing rules — this sequent calculus is a variation of the one 
given for polarized classical logic in [41]. We then extend 
the structure of patterns to describe the more expressive 
logic of definitional variation. Next, we prove the identity 
and cut theorems for this logic, and consider some interest- 
ing properties of the representational connectives. 

2.1 Simple contexts and patterns 

We write X*,Y*,Z* and X~,Y~,Z~ to stand for positive 
and negative propositional variables (atomic propositions), 
and A*,B*,C + and A",B",C" to stand for arbitrary positive 
and negative formulas. We use a to range over assumptions 
X* or C", and dually y to range over conclusions X' or C*. 
A linear context A is a list of assumptions. 

The positive connectives are defined through the judge- 
ment A lh C + , which corresponds to applying only linear 
right-rules to show C* from A. For example, the rules for 
atoms, conjunction, and disjunction are as follows: 

A] lh A+ A 2 lh B + All- A* A lh B + 

X*\\-X + A 1; A 2 \\-A + ®B* AlhA + e5 + AlhA + 0B + 



Foreshadowing the Curry-Howard interpretation, we refer 
to derivations of this judgement as constructor patterns; lin- 
earity captures the restriction familiar from functional pro- 
gramming that a pattern binds a variable just once. 

Negative connectives are defined by A lh C~ > 7, which 
corresponds to using linear left-rules to decompose C into 
the conclusion 7. A proof term for this judgement is a de- 
structor pattern, which gives the shape of an elimination 
context (continuation) for negative types: 

AilhA + A 2 lh S" > 7 AlhA">y A\\-B->y 



Ai,A 2 ll-A + B' > y A\\-A'&B'>y AlhA~&fi~>y 

Observe that a destructor pattern for A* — ► B~ includes a 
constructor pattern for A*, as well as a destructor pattern for 
B~, matching the possible observations on a function type. 
We have adopted linear logic notation by writing ® for pos- 
itive and & for negative conjunction. In the present set- 
ting, both of these connectives encode ordinary intuitionis- 
tic conjunction with respect to provability, but they have dif- 
ferent proof terms: positive conjunction is introduced by an 
eager pair whose components are values, and eliminated by 
pattern-matching against both components; negative con- 
junction is eliminated by projecting one of the components, 
and introduced by pattern-matching against either possible 
observation, i.e. by a lazy pair. 

2.2 Focusing Judgements 

In Figure 1, we present the focusing rules. In these rules, 
r stands for a sequence of linear contexts A, but F itself is 
treated in an unrestricted manner (i.e., variables are bound 
once in a pattern, but may be used any number of times 
within the pattern's scope). 

The first two judgements concern the positive connec- 
tives. The judgement F h [C + ] defines right-focus on a 
positive formula, or positive values: a positive value is a 
constructor pattern under a substitution for its free vari- 
ables. Focus judgements make choices: to prove C + in fo- 
cus, it is necessary to choose a particular shape of value by 
giving a constructor pattern, and then satisfy the pattern's 
free variables. Values are eliminated with the left-inversion 
judgement T h 70 > Y, which defines a positive continua- 
tion by case-analysis. Inversion steps respond to all possible 
choices that the corresponding focus step could make: the 
rule for C* quantifies over all constructor patterns for that 
formula, producing a result in each case. By convention, 
we tacitly universally quantify over metavariables such as 
A that appear first in a judgement that is universally quanti- 
fied, so in full the premise reads "for all A, if A lh C* then 
r,A h 7." The positive connectives are thus introduced by 
choosing a value (focus) and eliminated by continuations 
that are prepared to handle any such value (inversion). For 
atoms, the only case-analysis is the identity. 
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Figure 1. Focusing rules 



The next two judgements concern the negative con- 
nectives, where the relationship between introduc- 
tion/elimination and focus/inversion is reversed. A 
negative formula is eliminated by the left-focus judgement 
r h [C] > 7, which chooses how to observe C by giving a 
negative continuation. A negative continuation consists of 
a destructor pattern, a substitution, and a case-analysis. The 
destructor pattern and substitution decompose a negative 
type C to some conclusion 70, for instance a positive type 
C*. However, it may take further case-analysis of this 
positive type to reach the desired conclusion 7. Dually, 
negative types are introduced by inversion, which responds 
to left-focus by giving sufficient evidence to support all 
possible observations. The right-inversion judgement 
r h a, where assumptions a are negative formula or 
positive atoms, specifies the structure of a negative value. 
A negative value for C must show that for all destructors 
of C~, the conclusion is justified by the variables bound by 
the patterns in it. 

The judgement rhy, defines a neutral sequent, or an ex- 
pression: from a neutral sequent, one can either right-focus 
and return a value, or left-focus on an assumption in F and 
apply a negative continuation to it. Finally, a substitution 
ThA provides a negative value for each hypothesis. 

At this point, the reader may wish to work through some 
instances of these rules (using the above pattern rules) to see 
that they give the expected derived rules for the connectives: 
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A^lhA^y A^lhB^y 



(no rule for T) A;¥ lh A"&fi" > y A;* lh A"&fi" > y 

Ai;>PlhA + A 2 ;¥lh S" > y A;<F,/? lh B" > y 
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We write A lh A + for A ; <P lh A + 
andAlh (<F)A- > yfor A;* lh A" > y. 

Figure 2. Patterns 

rhr rhr rhz- r.x+hz- ryrhjr 
ri-(x-&r)&z- rh(x + er + )^z- 

2.3 Patterns for Definitional Variation 

In Section 2. 1, we gave a fixed set of rules for construct- 
ing simple patterns. We now describe patterns for defi- 
nitional variation by including an open-ended database of 
rules. A rule R takes the form P 4= A) ■ ■ ■ <= A*, where 
A\,...,A + n are positive formulas and P is a defined atom. 
Rules are collected in a rule context *P, which is now car- 
ried through the pattern-typing judgments (A; *P lh A* and 
A;^lhA">y). 

A rule P <= A) ■ ■ ■ 4= A* n e *P can be applied to produce a 
constructor pattern for P: 



A i; ¥lhA} 



A„;¥lhA; 



Note that rules can be applied an arbitrary number of times 
while constructing a pattern. Now, consider the pattern- 
typing rules for the new connectives of definitional varia- 
tion, representational implication and representational con- 
junction: 



A; v P,/?lhB + 



A^fllhB" > y 



A;¥lh#=>B + A;*¥\hRxB' > y 

Both connectives expand the rule context, introducing a 
scoped constructor of type R. The rule for R=> B + builds 
a constructor pattern for B* under assumption of R and es- 
sentially (if we ignore structural punctuation) looks like an 
implication right-rule, while the rule for R XB~ builds a de- 
structor pattern for B~ and looks like a conjunction left-rule. 
However, as we will see in Section 2.5, these connectives 
behave quite differently from ordinary implication and con- 
junction, in part due to their non-standard polarity. 

Most of the remaining rules (see Figure 2) for the con- 
nectives of polarized logic are unremarkable, since they 
simply carry the rule context through unchanged. The 
"shift" connectives f and J. deserve explanation, though. 
Following Girard [14], these mark the boundary between 
positive and negative polarity, and correspondingly they 
mark the point where pattern-matching must end [41]. Be- 
cause the rule context can change during the course of 
pattern-matching, it is necessary to associate assumptions 
and conclusions with a specific rule context. We indicate 
this with contextual formulas (¥) A + and (¥) A", so that the 
rules for the shift connectives are: 



(¥)A-;¥lh JA" 



•;¥lh ]A* > (¥)A + 



In spite of this richer notion of patterns, the generic fo- 
cusing rules of Figure 1 remain unchanged if we adopt some 
notational sleight-of-hand: we now take C + and C to range 
over contextual formulas, and write A lh (¥) A + as notation 
for A; *P lh A + , and Alh (^)A" > yfor A; ¥11- A" > y. 



Consider the syntax of the untyped A-calculus: 
x | Xx.e | e\ e 2 This syntax is represented in 



A 1 ,...,A„;¥lhP 



Example 

e ::= 

our type theory by the following definition signature : 

lam :exp (exp => exp) ; app:exp <*= exp <^= exp 

For clarity, we name the rules in the rule context here, fore- 
shadowing the presentation with proof terms in Section 3. 
The A -calculus terms with free variables x\,...,x„ are iso- 
morphic to derivations of the constructor pattern judgement 
• ; *¥x,xi '■ ex P; • • • 7 X « : ex P "~ ex P- The fact that the rules 
defining exp may vary during a derivation is essential to 
this representation of the new variables bound in a term. 
The computational arrow then provides the means to in- 
duct over A -terms: A negative value • h (¥^) exp — > |exp 
represents a function from A -terms in the empty context to 



A -terms in the empty context. Such a term is defined by 
an ©-rule which gives one case for each A -term: whereas 
the traditional definitional reflection rule [16, 35] unrolls 
a definition only a single step, our inversion rules unroll a 
definition until they reach a polarity shift. 

2.4 Identity and Cut 

In addition to inductive types like exp, the context *P can 
be used to define arbitrary recursive types. For example, 
consider an atom D defined by one constant 

d: D<s=|(D^|D) 

D is essentially the recursive type fxX.X — > X, which can be 
used to write non- terminating programs. 

Because the rule context permits the definition of gen- 
eral recursive types, it should not be surprising that the 
identity and cut principles are not admissible in general. 
Through the Curry-Howard interpretation, however, we can 
still make sense of the identity and cut principles as corre- 
sponding, respectively, to the possibly infinite processes of 
7] -expansion and j3 -reduction. We now state these prin- 
ciples, "prove" admissibility of cut with an operationally 
sound but possibly non-terminating procedure (see our tech- 
nical report [22] for the analogous identity procedure), and 
then discuss criteria under which this proof is well-founded. 

Principle 1 (Identity). 

1. (neg. identity) IfC € T then T h C". 

2. (pos. identity) T h C + > C + 

3. (identity substitution) If A C T then T h A. 

Principle 2 (Cut). 

1. (neg. reduction) IfT h C" and T h [C~] > y then r h y. 

2. (pos. reduction) IfT h [C + ] and T h C* > y then r h y. 

3. (composition) 

(a) IfT h jo and T h y 0 > 7 then Thy. 

(b) IfT h [C - ] > Jo and T h y 0 > y then T h [C~] > y. 

(c) IfT h j\ > Yo and T h y 0 > 7 f^en r h yi > y. 

4. f substitution ) For all six focusing judgements J, 
ifT h A an<f r, A h 7 f/zen T\- J. 

Procedure. Consider the first cut principle. The two deriva- 
tions must take the following form: 

V(AlhC->y 0 ): r, Ah Yo AlhOyp rhA rh y 0 >y 

ri-c r h [C"] > y 



By plugging A lh C > Yo from the right derivation into the 
higher-order premise of the left derivation, we obtain T, A h 
Yo- Then T h Yo by substitution with T h A, whence T h yby 
composition with T h yo > y. The case of positive reduction 
is analogous (but appeals only to substitution). 

In all cases of composition, if yo = X' then the statement 
is trivial. Otherwise, we examine the last rule of the left 
derivation. For the first composition principle, there are two 
cases: either the sequent was derived by right-focusing on 
the conclusion yo = C + , or else by left-focusing on some hy- 
pothesis C G r. In the former case, we immediately appeal 
to positive reduction. In the latter case, we apply the second 
composition principle, which in turn reduces to the third, 
which then reduces back to the first. 

Likewise, to show substitution we examine the rule con- 
cluding r, A h J. Dually to the composition principle, the 
only interesting case is when the sequent was derived by 
left-focusing on C~ G A, wherein we immediately apply a 
negative reduction. 

□ 

Observe that we have made no mention of particular con- 
nectives or rule contexts, instead reasoning uniformly about 
focusing derivations. As we alluded to above, however, in 
general this procedure is not terminating. Here we state suf- 
ficient conditions for termination. They are stated in terms 
of a strict subformula ordering, a more abstract version of 
the usual structural subformula ordering. 

Definition 1 (Strict subformula ordering). We define an or- 
dering Cf □ C| between contextual formulas as the least 
transitive relation closed under the following properties: 

• If A lh C\ > Y and C~ 2 eA then C\ □ C~ 2 

• If A lh C\ > YandC* 2 = Ythen C\ □ q 

• If A lh C) and C 2 € A then C\ □ C 2 

For any contextual formula C ± , we define to be the re- 
striction of to formulas below C ± . 

The strict subformula ordering does not mention atoms X* 
or X', since they only play a trivial role in identity and cut. 

Definition 2 (Well-founded formulas). We say that a con- 
textual formula C* is well-founded ifZic is well-founded. 

Proposition 1. Positive and negative identity are admissi- 
ble on well-founded formulas. 

Proposition 2. Positive and negative reduction are admis- 
sible on well-founded formulas. 

Proof. By inspection of the above procedure. Positive and 
negative reduction are proved by mutual induction using the 
order Zic, with a side induction on the left derivation to 
show composition, and a side induction on the right deriva- 
tion to show substitution. □ 



Definition 3 (Pure rules). A rule R is called pure if it 
contains no shifted negative formulas [A' as premises 
(or structural subformulas of premises). For example, 
exp <= (exp =4> exp) is pure, but D 4= J.(D — > ]D) is not. 

Lemma 1. Suppose ( X P) A ± contains only pure rules (i.e., in 
y ¥, or as structural subformulas of A ± ). Then ( y ¥)A ± is well- 
founded. 

Proof. By induction on the structure of A ± . Every pattern 
typing rule (recall Figure 2) examines only structural sub- 
formulas of A ± , except when A* = P. But any P defined 
by pure rules P <= A] ■••<*= A* n in fact has no strict subfor- 
mulas, since the A, such that A,-; *P lh A\ can contain only 
atomic formulas X*. □ 

The restriction to pure rules precludes premises involv- 
ing the computational arrow. However, as we show below, 
it includes all inference rules definable in the LF logical 
framework, generalizing Schroeder-Heister's [35] proof of 
cut-elimination for the fragment of definitional reflection 
with -^-free rules (since pure rules do not exclude =>'s). 
Moreover, as we explained, the identity and cut principles 
are always operationally meaningful, even in the presence 
of arbitrary recursive types. Technically, we could adopt a 
coinductive reading of the focusing rules (cf. [14]), in which 
case identity is always productive, and cut-elimination is 
a partial operation that attempts to build a cut-free proof 
bottom-up. We conjecture that cut-elimination is total given 
a positivity restriction for rules. 

2.5 Shock therapy 

In §6.2 of "Locus Solum", Girard [14] considers sev- 
eral "shocking equalities" — counterintuitive properties of 
the universal and existential quantifiers that emerge when 
they are given non-standard polarities. For example, posi- 
tive V commutes under ©, while negative 3 commutes over 
&. In our setting, behaves almost like a positive univer- 
sal quantifier, and A. almost like a negative existential. 1 And 
indeed, we can reproduce analogues of these commutations. 



Definition 4. For two positive contextual formulas Cf and 
Q, we say that Cf < if ■ h Cf > C* 2 . For negative Cf 
and C~ 2 , we say C\ < C~ 2 ifC[ h C~ 2 . We write Cf « C| when 
both Cf < C| and C| < Cf. These relations are extended to 
(non-contextual) polarized formulas if they hold under all 
rule contexts. 

Proposition 3 ("Shocking" equalities). 

1. R=>(A + Q)B*)^(R^>A + )®(R=>B*) 

2. (RXA-)&(RXB-)ziRX(A-&B-) 
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Figure 3. Proof Terms 



I-} 

k' \ v + »k* \e; k* 



'These would become real quantifiers in an extension to dependent 
types. 



Proof. Immediate — indeed, in each case, both sides have 
an isomorphic set of patterns. □ 

Why are these equalities shocking? Well, if we ignore 
polarity and treat all the connectives as ordinary implica- 
tion, disjunction, and conjunction, then (2) is reasonable 
but (1) is only valid in classical logic. And if we interpret 
=> and A as V and 3, then both equations are shockingly 
anticlassical: 

1. Vx.(A®B) w (Vx.A)®(Vx.B) 

2. (3x.A)&(3x.B) ss 3x.(A&B) 

On the other hand, from a computational perspective, these 
equalities are quite familiar. For example, (1) says that a 
value of type A(QB with a free variable is either the left 
injection of an A with a free variable or the right injection 
of a B with a free variable. 

We can state another pair of surprising equivalences be- 
tween the connectives ^> and X under polarity shifts: 

Proposition 4 (Some/any). 

1. 1{RXA-)^R^[A- 

2. ](R^-A+)^RX]A+ 

Again, this coincidence under shifts is not too surprising, 
since it recalls the some/any quantifier 1/lx.A of nominal 
logic [31], as well as the self-dual V connective of Miller 
and Tiu [25]. 1/lx.A can be interpreted as asserting either 
that A holds for some fresh name, or for all fresh names — 
with both interpretations being equivalent. 

3 Proof Terms 

In Figure 3, we present a proof term assignment to the 
focused sequent calculus described above, with one proof 
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Figure 4. Operational Semantics 



term for each rule in the calculus. Additionally, we internal- 
ize the cut and identity principles: v" • k~ and v + • k + witness 
reduction; e ; k + and fe" ; & + and k\ ; ^ witness composition; 
and x and e and id witness identity. For programming con- 
venience (see Section 5), we also internalize an admissible 
substitution concatenation principle (G\ , 02), and a general 
recursion operator fix(x.v"). To make the examples below 
more concise, we tacitly parametrize all judgements by a 
fixed initial definition context E, which acts as a prefix on 
each contextual formula in the judgement forms (i.e., ( X P)A 
acts as A did without the signature). The full typ- 

ing rules are presented in Figures 6 and 7 at the end of this 
article. 

a-equivalence The pattern for a contextual type ( X P)A + 
is a contextual pattern ^.p, where *P notates the bare vari- 
ables (no rule annotations) from X P. Contextual patterns for 
( X P)A + are modal [27] — all of the rule variables free in the 
pattern must be explicitly bound by *P — and are typed by 
the judgement A Ih 1 ?./? :: ( l P)A + . This judgement is defined 
by passing to the judgement A; *P lh p :: A + , in which the 
variables in *P are free in p. Negative patterns *¥.n are typed 
similarly: 

A^U-p/.A* A;^ll-n::A" > y 

A lh W.p :: (*¥)A + A lh :: ('P)A" > 7 

In the sequent calculus above, we treated the judgements 
A lh ( l P)A + and A; ^ lh A + synonymously, but here this dis- 
tinction clarifies the binding structure of our language. The 



proof terms *¥.p and ^.n, as well as the proof terms Xu.p 
and unpack; u.n for => and A, are binding forms, and the 
standard notion of a-equivalence applies to them and to the 
context *P in the typing judgements for p and n. Other con- 
texts V appear in contextual types in A and 7, but these 
are separate binding occurrences and can be renamed inde- 
pendently. 2 Similarly, in A lh ^.p :: ( X P)A + , the variables 
in *P and in VP are independent binding occurrences. Be- 
cause patterns are modal, no rule variables are free in val- 
ues, continuations, expressions, or substitutions. We tac- 
itly quotient patterns by a-equivalence at the meta-level, so 
that meta-functions are defined on a-equivalence classes of 
patterns. This ensures that computational functions respect 
a-equivalence of represented languages. 

Meta-functions. Our type theory is, by design, open- 
ended with respect to the meta-functions <j), mapping pat- 
terns to expressions, which are used to represent case- 
analysis and induction. We have exploited this freedom by 
implementing simple embeddings of our language in Agda 
and Coq, 3 where meta-functions are realized as functions 
in Agda/Coq, and totality of meta-functions is established 
using the pattern coverage checkers of these existing tools. 
Both of these embeddings use de Bruijn indices to repre- 
sent rule variables, but other implementations of our type 
theory are free to use different representations of variables, 
and program fragments written using different representa- 
tions of binding can be combined. 

Operational Semantics In Figure 4, we adapt the above 
cut-elimination procedure into a small-step operational se- 
mantics on closed expressions. We use an auxiliary meta- 
operation e [a] implementing capture-avoiding substitution, 
which is defined using the induction principle for the iter- 
ated inductive definition of our proof term syntax. Conse- 
quently, the operational semantics require that the the class 
of meta-functions <j) is closed under definitions using this 
induction principle. 

Theorem 1 (Type safety). 

Progress: If-\~e:y then e = v* or e e'. 

Preservation: If -\- e:y and e <^-> e 1 then ■ h e' : 7 

4 Adequacy and Structural Properties 

4.1 Embedding of Simply-Typed LF 

The canonical forms of simply-typed LF (STLF) [40] are 
summarized in Figure 5. We show that the STLF terms ex- 
ist as closed patterns, and therefore as values, in our type 

2 In our simply-typed setting, these contexts need not carry variables at 
all, but the variables would be necessary for dependency. 
3 Available from http : / /www. cs . emu . edu/~drl/ 
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Figure 5. Simply-typed LF 

theory. This theorem permits us to inherit en masse the ade- 
quacy of all systems that have been represented in STLF — 
e.g., the above signature *P^, which is the embedding of the 
usual LF encoding of this syntax. 

Every STLF type T can be parsed both as an inference 
rule r(r) and as a positive formula p(r) (for convenience, 
we identify STLF base types with our defined atoms P): 



r(Tj D . . . D t„ D P) 

P(P) 
P(T; 3 T 2 ) 



r(T;)^p(T 2 ) 



; P(>«) 



The function r(r) can then be used to map STLF signatures 
£ and contexts 4> to inference rule contexts X P. 

Theorem 2 (Embedding of STLF). Lef r(£) = one/ 
r(<J>) = ^.j, anrf p(r) = A + . T/zen f/zere is a bijection be- 
tween canonical STLF terms M such that 4> \~z M : X and 
patterns p such that ■ ; *P<j, I hp :: A + in signature 



Proo/ Map Ax.M to Ax.p and iM; . . .M„ to x pi .. 



.pn. 

□ 



To check that LF substitution is faithfully modelled in 
our calculus, we can recast the usual hereditary substitution 
algorithm for LF [40] as a meta-operation on closed pat- 
terns. However, it is also possible to prove a much more 
general substitution principle, which covers many uses of 
iterated inductive definitions. 

4.2 Structural Properties 

As discussed above, the rule context VP does not in gen- 
eral satisfy the structural properties of a hypothetical judge- 
ment, because computational functions can be used to de- 
fine impure rules. However, we can establish the structural 
properties generically under sufficient conditions that com- 
putational functions cannot interfere. To state these condi- 
tions, we use a notion of subordination [39], which tracks 
when values of one type are relevant to values of another. 
First, we define a judgement P ^ A L £ *P ("P is insubor- 
dinate to A*"), which means that no rule concluding P can 



be used by a value of type A t . Next, we define a judge- 
ment P y A* <G VP ("P is uncircumscribed by A*"), which 
means that P is insubordinate to the domain of any compu- 
tational arrow in A*. We say that a rule P <= A] • • • <= A* n is 
insubordinate to/uncircumscribed by iff P is. Finally, we 
define a judgement bindsof A ± ^B^T, which means that 
all rules that may be bound by a value of type A ± are un- 
circumscribed by B ± . We refer the interested reader to our 
companion Agda code for the formal definitions of these 
judgements. 

Let R = P <= Aj ■ ■ ■ <= A + n . Using our Agda implementa- 
tion, we have given negative values of the following types: 

• strengthen : (VP) ((/? => A*) — » A*) if P ^ A h £ *P,k:/?. 

• weaken : (VP) (A ± -> (/? A*) ) if P h A ± G »P, u : P. 

• appfy:(vp)(((P^A ± )®.P) ^A±) ifPb A* e 
and bindsof A± ^Pe (W,u:P). 

The function strengthen removes an insubordinate rule from 
the context. The function weaken adds an uncircumscribed 
rule to the context. The value apply substitutes a value 
for a base type; the subordination conditions are neces- 
sary for strengthening the arguments to computational func- 
tions in A A (P y A* £ WjW.P) and weakening the proof of 
P as the substitution operation passes under binders in A ± 
(bindsof A 1 ^Pe (VP,m:P)). These functions are defined 
by the same recursion on types as the proof of the identity 
theorem in Section 2, and they are total/productive in the 
same circumstances as identity. At present, we have only 
implemented substitution for base types generically, though 
we conjecture a generalization to all higher-order rules in 
the embedding of LF. 

To illustrate these structural properties, consider a 
signature *P with constants lam : exp <= (exp exp) and 
omega : exp <= |(nat — > T ex P)> which might arise in repre- 
senting a proof theory for natural numbers with an o-rule. 
In this signature, exp is insubordinate to nat (expressions 
cannot be used to build natural numbers), but exp is not in- 
subordinate to exp (expressions can be used to build expres- 
sions). Thus, strengthen permits strengthening away exp- 
variables, but not nat-variables, from a nat. However, exp 
is uncircumscribed by exp, whereas nat is not uncircum- 
scribed by exp (because of the computational premise of 
omega). Thus, weaken allows for weakening an exp with 
an exp, but not with a nat (which would add a new case to 
the computational argument to omega). Moreover, the only 
rule bound by exp, namely exp, is uncircumscribed by exp, 
so apply allows for substituting an exp into an exp. 

5 Programming Example 

We present one simple example of mixing binding and 
computation; our companion technical report [22] contains 



several additional examples, including ones illustrating our 
approach to computing with open terms. We write the ex- 
ample using a named syntax for rule variables, which could 
either be implemented directly in a proof assistant, or elab- 
orated into de Bruijn form. 

Consider the syntax of a simple language of arithmetic 
expressions, where numeric primitives are represented by 
computational functions. In LF, each primitive operation 
would require its own constructor; here, we represent bi- 
nary primops (binops) uniformly as computational func- 
tions of type nat® nat — > fnat. The language includes nu- 
meric constants, binops, and let-binding: 

zero : nat, succ : nat <= nat, 
num : ari <= nat 

binop: ari <= ari <= (nat ® nat — > | nat) <= ari 
let : ari <*= ari -<= (ari =^> ari) 

For example, if plus is a function (negative value) of type 
(•) (nat® nat — > t nat ) implementing addition on nats, then 
the value (binop(num4)/(num5)) \plus/f\ is the abstract 
syntax for the arithmetic expression "4 + 5". We implement 
an evaluator for closed programs using a fixed point: 

• h eval : () ari — > |nat 

eval= fix(ev.val"(p;e ev* p)) 

The body of the negative value is defined by a meta-function 
(an Agda function in our Agda implementation), where the 
variable ev is the recursive reference: 

V(A Ih c :: () ari) : (ev: () ari -> |nat,A) h {ev* c) : () nat 
ev* num/? p 
ev* binop/? 7 f pi ^ 

e v • 0 7 ; co n t + (p' ; ev(p 2 ;conV(p' 2 ^>f • (p' 1 ,p' 2 )))) 
ev* \etpo (A u.p) i ► 

apply ((A u.p,po);conV(p' \— ► evp')) 

In this code, we employ a bit of syntactic sugar, suppressing 
the e terminating a destructor pattern, the identity substitu- 
tion id, and the identity case-analysis e . The variables p are 
meta-variables ranging over patterns (Agda variables in our 
Agda implementation), which allow us to specify the behav- 
ior of ev* on all arithmetic expressions using only finitely 
many cases. In the binop case, we recursively evaluate the 
first argument pi, and match the result as p'j, then we evalu- 
ate the second argument p 2 , and finally we apply the embed- 
ded computational function / to the values of the arguments. 
In the let case, we apply the body of the let to the let-bound 
term and evaluate the result. The function apply, which was 
discussed in Section 4, applies a representational function to 
an argument by performing substitution. The subordination 
conditions necessary for calling apply are satisfied in this 
case: while the rules for ari use a computational function 
that circumscribes nat, they do not circumscribe ari. 



6 Related Work 

Variable binding can be implemented concretely in a va- 
riety of ways (see Aydemir et al. [5] for a survey). Among 
the concrete representation techniques, definitional varia- 
tion is most similar to representations where the context 
of a term is marked in its type, such as de Bruijn repre- 
sentations using nested types or dependency [1, 6, 7]. In 
these representations, binders introduce a new constructor 
for variables, which are explicitly injected into terms. Our 
framework builds this use of dependency into the language: 
all types are contextual and all datatypes may be extended 
by rule variables introduced by => and X. This creates 
an opportunity to implement the structural properties once 
(modulo subordination conditions) for all types, including 
negative types such as computational functions, and to ab- 
stract away from the concrete implementation of variables 
themselves — as in LF, we can provide a named notation 
without requiring the programmer to manage names. 

In systems based on the LF logical framework [17], LF 
is taken as a pure representation language, and a separate 
layer is provided for computation. In Twelf [29], Del- 
phin [33], and Beluga [30], the computational layer is an 
entirely separate language. Schiirmann et al. [36] describe 
an approach in which the same arrow is used for both com- 
putation and representation, with primitive recursion iso- 
lated by a modality, but computation is nonetheless segre- 
gated because the computational modality cannot appear in 
rules. These stratified approaches have the advantage that 
all representations automatically obey the structural prop- 
erties of a hypothetical judgement, with the disadvantage 
that certain encoding techniques, which rely on embedding 
computation in data, are not possible. Our framework re- 
moves this stratification, allowing rules that embed compu- 
tation, with the consequence that not all representable rule 
systems satisfy the structural properties. However, as dis- 
cussed in Section 4, we have implemented strengthening, 
weakening, and substitution generically under certain sub- 
ordination conditions. Consequently, our framework pro- 
vides meta-operations implementing the structural proper- 
ties "for free" for all rule systems definable in simply-typed 
LF, as well as for many more rule systems that use iterated 
inductive definitions. 

Our current framework lacks dependent types, a limita- 
tion we plan to address in future work. In a dependently- 
typed setting, equality of terms influences equality of types, 
and equality of types influences type checking. In our set- 
ting, type checking will thus depend on the equational be- 
havior of the meta-functions implementing the structural 
properties such as substitution. We are optimistic that the 
equational theory of the LF fragment of our framework will 
agree with LF definitional equality, even in an intensional 
setting, because we have implemented substitution by ex- 



tending the hereditary substitution algorithm used in canon- 
ical LF [40]. However, we leave a detailed investigation of 
this issue to future work. 

It is tempting to try to reuse the computational func- 
tion space of existing proof assistants such as Coq and Is- 
abelle/HOL to represent binding, but the naive approach 
admits too many functions. One solution to this problem 
is to use a predicate to identify those computational func- 
tions that are in fact substitution functions [2, 9, 11, 18, 26]. 
Another solution is to bind meta-language variables of an 
abstract type defined only by an axiomatic characterization 
of the properties of variables [8]. In contrast, our repre- 
sentational functions provide a direct means of adequately 
encoding binding, without requiring side conditions or ax- 
ioms. Moreover, as we hope to have demonstrated, encod- 
ing => in terms of — > ignores some of its essential prop- 
erties, such as the distributivity principles in Section 2.5, 
and the ability to decompose a representational function by 
pattern-matching. 

Nominal logic [13] is a theory of names and binding that 
has been implemented in several programming languages 
(e.g., FreshML [32, 37] and the Isabelle nominal datatype 
package [38]). The differences between the nominal ap- 
proach and ours stem from the fact that FreshML sepa- 
rates fresh name generation from the binding of a name in 
a scope, whereas in our type theory rule variables do not 
exist outside of the scope in which they are bound. Nomi- 
nal logic facilitates the direct representation of informal al- 
gorithms that use names without being explicit about their 
scope, whereas our approach follows the LF methodology 
of recasting these algorithms in terms of a more disciplined 
binding structure. Separating name generation from scop- 
ing makes it more difficult to determine what names are free 
in a computation, requiring freshness analyses [32], specifi- 
cation logics [34], or stateful operational semantics [37] in 
order to ensure that functions respect a -equivalence of rep- 
resentations. In contrast, the free rule variables of all com- 
putations are tracked by our type system, and respect for 
a-equivalence is achieved simply, by quotienting patterns 
by a-equivalence. 

In light of the present analysis, it is interesting to re- 
examine an old proposal by Miller [24] for an extension 
to ML with primitives for binding, including a new func- 
tion type 'a => ' b and a restricted form of higher-order 
pattern-matching. For example, the fact that the codomain 
' b must be an equality type in Miller's proposal is related 
to the present restriction that the codomain A* be positive — 
although it is less general, since A + can contain embedded 
negative formulas, which are not equality types. Techni- 
cally, we are able to go beyond Miller's proposal because 
we associate negative hypotheses with a context of param- 
eters. This idea appears in Miller and Tiu's more recent 
work [25], as well as in contextual modal type theory [27]. 



Indeed, Miller and Tiu's self-dual V connective is closely 
related to and A, also capturing the notion of a scoped 
constant. An essential difference, however, is that because 
the V proof theory adopts a logic programming-based dis- 
tinction between propositions and types (V quantifies over a 
type and forms a proposition), it is significantly less subtle 
than definitional variation. For example, V cannot appear in 
the domain of a V (in contrast to =>). 

Fiore et al. [12] and Hofmann [19] give semantic ac- 
counts of variable binding. It would be interesting to see 
whether these semantic accounts can be extended to rule 
systems such as ours which permit computational functions 
in premises. 

7 Conclusion 

We have presented a language that enables the free inter- 
action of binding with computation, extracted as the Curry- 
Howard interpretation of a focused sequent calculus with 
two forms of implication. We believe this provides an ap- 
propriate logical foundation, but much work remains to be 
done. We plan to pursue an independent implementation 
of our language by giving a first-order language for meta- 
functions, rather than relying on existing tools. Addition- 
ally, a generalization to dependent types (which we have 
already begun to explore [21]) would realize the goal of 
giving intrinsic support for variable binding in a construc- 
tive type theory, combining the best of frameworks such as 
Twelf and Coq. 
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Figure 6. Focusing rules with proof terms 
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Figure 7. Constructor and destructor patterns 



